Google Drive and GDPR
Google Drive is one of the best-known file hosting services. Google Drive enables its users to save documents in the cloud, share files and edit documents together. Google Drive includes Google Docs, Sheets, Slides and Forms, an office software package that enables the shared editing of documents, spreadsheets, presentations, etc. Files shared publicly on Google Drive can be found using Internet search engines. So far, so good. But how does Google Drive deal with data protection? What do companies need to bear in mind if they want to use the service?
Data protection requirements for cloud service providers from third countries
One of the most important innovations of the General Data Protection Regulation is the establishment of the so-called marketplace principle. If a company offers products or services to citizens of the European Union, regardless of where in the world it is based, it must comply with the requirements of the GDPR. Conversely, European companies are obliged to ensure that data exports to a cloud provider comply with data protection law.
Within the EU, data processing agreements are concluded for this purpose in accordance with Art. 28 GDPR. If personal data is outsourced to a service provider based in a third country, whereby access for occasional "troubleshooting" is sufficient, standard contractual clauses and additional, supplementary measures must generally be taken to ensure an adequate level of data protection in the third country.
Additional measures can consist of encrypting or anonymizing the data to be exported. This is to protect the confidentiality of the data against access by authorities or secret services, which can be perfectly legal in the USA. In the case of encryption, it should be noted that the key remains in the hands of the client, i.e. not Google in this case.
What does Google offer its customers after "Schrems II"?
The answer to this question has to be rather flippant: Google offers quite a lot, but unfortunately hardly anything useful. For example, there is no information in accordance with Art. 13 GDPR for the Google Drive product, but there is for all Google services: "This privacy policy applies to all services offered by Google LLC and its affiliates, including YouTube, Android and services provided on third-party websites, such as advertising services." It could hardly be more confusing and, in the opinion of the author of these lines, violates the transparency obligations of the GDPR. Even the numerous videos on data protection do not change this. Clear and simple language would be much more helpful.
With regard to the transfer of data to the USA, Google works with the new standard contractual clauses and offers a pre-filled template of Module 2 EU Controller-to-Processor. However, transparency with regard to data protection and Google Drive also falls by the wayside here when, for example, the data categories are described in Annex I of the standard contractual clauses as follows: "Family, lifestyle and social circumstances, including any information relating to the family of the data subject and the data subject's lifestyle and social circumstances, including details of family and other household members, habits, housing, travel details, leisure activities, and membership of charitable or voluntary organizations." There are similar all-encompassing descriptions for "Personal details", "Employment details", "Financial details", "Education and training details", etc. Again, this is not really transparent.
Transfer Impact Assessment
With the new standard contractual clauses, there is now an obligation to carry out a "transfer impact assessment", a comprehensive, case-by-case data protection impact assessment prior to a transfer to a third country. The following control question must be answered: Can and will Google actually fulfill its contractual obligations under the GDPR? To answer this question, you would have to click through the numerous documents, annexes, videos and other links that Google has provided here. It remains to be seen whether we will ultimately find all the information we need to make a reliable statement.
And now?
As a thoroughly standardized "Internet giant", Google will hardly address the need for clarification of small and medium-sized companies, not even with regard to Google Drive and the General Data Protection Regulation. The conclusion of the standard contractual clauses on offer will be based on the "time-or-die" principle. Companies should therefore proactively take further security measures and, if they decide to use Google Drive, only upload highly encrypted data and not hand over the key.
This would be one way of ensuring at least some level of data protection for Google Drive in Germany. After all, it will be some time before homomorphic encryption is used across the board. 2B Advice would be happy to support your company with a data protection assessment of the use of Google Drive, in particular with the implementation of the transfer impact assessment.